Hindsight is 20/20 as they say. I think one possibly disturbing aspect of this is the idea that security had been outsourced and there may have been an inside job by a disgruntled employee - if that were true there may be other problems as well as this one. BA is NOT the only organisation at risk, this probably isn't a direct function of cost-cutting, but the requirement to be cybersecure is often not held to be a top business priority even now we have GPDR, and this was an accident waiting to happen to someone.

I'd be interested to know how "vault" CC details are transmitted to the payment processor. If this is encrypted, and it's "just" the CVC and personal data that have been compromised, it may not be a big problem from the point of view of fraud. But there is the problem that if some of the data can be matched with that from other compromised sites (not BA), more detailed information can be extracted. And in my case where my card was used on my wife's BA account to buy a POUG and being entered as a full number, that's something I'm monitoring carefully. I'm not cancelling cards just now but I don't see how in the longer term that can be avoided. I can't move house and it will be difficult to change emails, so the personal data leak is the most worrying aspect of this.

In the short term, I'll be booking via a travel agent. I'm not wild about anything that exposes any information to BA until this has been bottomed out, that includes Avios bookings for the time being. I'm not prone to panic, and I dislike compensation culture in general, but this does need some expansive gesture of contrition.